Data Privacy and Gramm- Leach-Bliley Act Section 501(b)
|
|
- Thomasina Conley
- 8 years ago
- Views:
Transcription
1 Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October Enterprise Risk Management, Inc.
2 Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement and Criminal Penalties Key Compliance Factors Q & A 2007 Enterprise Risk Management, Inc. 2
3 What is Privacy and Why Does It Matter? The management of sensitive customer information from intake to destruction under secure conditions to improve customer service and maintain public trust in the organization. You can t have privacy without security, but you can have security without privacy Enterprise Risk Management, Inc. 3
4 Federal Regulation Constant vigilance is critical The FDIC takes a proactive approach to enforcing data security regulations and guidance. Sandra L. Thompson, Deputy Director, FDIC If we do nothing, identity theft is going to go through the roof. It really means we should get on the stick and do something here. We re in the Wild West where companies can do anything they want. Senator Charles E. Schumer, Senate Banking Committee 2007 Enterprise Risk Management, Inc. 4
5 Impacting Customers and Your Bottom Line 2007 Enterprise Risk Management, Inc. 5
6 Consumer Attitudes 75% Fundamentalist Pragmatist Unconcerned 63% 54% 54% 55% 50% 37% 34% 25% 25% 25% 22% 12% 8% 11% 0% Enterprise Risk Management, Inc. 6
7 How much would you pay to stay off the cover of The Herald? 2007 Enterprise Risk Management, Inc. 7
8 Gramm-Leach-Bliley Act Requires financial institutions to ensure the security, confidentiality and integrity of non-public customer information. Prohibits financial institutions from sharing any information that is non-public with nonaffiliated third parties. Applies to institutions significantly engaged in providing financial activities, that is, financial products or services to consumers. These include: Lending Transferring Economic advisory services Brokering loans Debt collecting Providing real estate settlement services 2007 Enterprise Risk Management, Inc. 8
9 Gramm-Leach-Bliley Act In addition to banks, the GLBA applies to businesses that significantly engage in financial activities. For instance: Mortgage lender or broker Check casher Pay-day lender Credit counseling service or other financial advisors Professional tax preparers Retailers that issue credit cards to consumers Auto dealers that lease and/or finance 2007 Enterprise Risk Management, Inc. 9
10 Nonpublic Information Nonpublic information can include: Salary Social security number Account numbers Account balances Financial products purchased 2007 Enterprise Risk Management, Inc. 10
11 Public Information The term public information means any information, regardless of form or format, that an agency discloses, disseminates or makes available to the public. Public information includes: Public records (e.g.,real estate disclosures, bankruptcy filings, tax liens) Information from telephone white pages Information from websites with non-restricted access 2007 Enterprise Risk Management, Inc. 11
12 GLBA Section 501(b) Section 501 of the Gramm-Leach-Bliley Act requires Financial Institutions to follow standards set forth by the Agencies (e.g., FDIC, OCC, OTS, and the Board of Governors of the Federal Reserve System) to protect the security, confidentiality and integrity of non-public customer information through administrative, technical and physical safeguards Enterprise Risk Management, Inc. 12
13 GLBA Life Cycle Information Security Program Risk Assessment Vulnerability Assessment Implementation of Security Controls Board Directors Involvement On-going Security Reviews and Information Security Program Adjustments 2007 Enterprise Risk Management, Inc. 13
14 Information Security Program Each financial institution shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities Enterprise Risk Management, Inc. 14
15 Governance Board of Directors Security Committee Security Function Legal Human Resources Help Desk Other Departments Information Classification Security Metrics Assessments Technical Audit Vulnerability Tests Penetration Tests Self Assessments Processes Inventory System Inventory Information Inventory RISK ASSESSMENT BIA Gap Analysis Working Plans Implementation Infrastructure New Risk Assessment Best Practices Controls Security Policies Security Standards Security Procedures Security Regulations Security Awareness Physical Security Logical Security Contingency Plan Incident Response SLCM 2007 Enterprise Risk Management, Inc. 15
16 Information Security Program The information security program shall be designed to: Ensure the security, confidentiality and integrity of customer information. Protect against any anticipated threats or hazards to the security, confidentiality and integrity of customer information. Protect against unauthorized access to or use of customer information which could result in substantial harm or inconvenience to any customer Enterprise Risk Management, Inc. 16
17 Information Security Program Design the information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank s activities. Each financial institution must consider and adopt those security measures the bank determines are appropriate. Security measures include: Access controls on customer information systems including controls to authenticate and permit access only to authorized individuals. Controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means Enterprise Risk Management, Inc. 17
18 Information Security Program Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities. Encryption of electronically transmitted and stored customer information. Procedures designed to ensure that customer information system modifications are consistent with the bank s information security program. Dual control procedures and segregation of duties. Employee background checks for employees with responsibilities for or access to customer information Enterprise Risk Management, Inc. 18
19 Information Security Program Monitoring systems and procedures to detect actual and attempted attacks or intrusions into customer information systems. Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies. Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards such as fire, water damage, hurricanes or technological failures Enterprise Risk Management, Inc. 19
20 Information Security Program The organization applies adequate security measures to the selection and management of third party providers. Employees have the skill sets to implement the security program. Security training is provided to the organization s personnel. Regularly test key controls, systems and procedures Enterprise Risk Management, Inc. 20
21 Information Security Program Security Fundamental Principles: Confidentiality Information should be accessed only by authorized individuals. Prevent unauthorized access to information. Integrity Changes to information are performed by authorized individuals using authorized procedures. In addition, information should be consistent, in both internal and external form. Availability Information is available when needed Enterprise Risk Management, Inc. 21
22 Information Security Program Organizational Departments: The Information Security Program will impact all departments. Some departments are more involved than others. Legal Department: Evaluate third party contracts Support for incident response situations Review laws and regulations Interact with other lawyers and with law enforcement 2007 Enterprise Risk Management, Inc. 22
23 Information Security Program Organizational Departments: Human Resources Department Process employees when they are hired, transferred to a new position and terminated Help Desk Department Identify Information Security Help Desk persons responsible for answering information security related problems Provide the first line of defense for information security social engineering 2007 Enterprise Risk Management, Inc. 23
24 Information Security Program Security Metrics: Information systems security metrics provide a practical approach to measuring information security within the organization. Good metrics tie closely to business strategies, objectives, program maturity and the company s control environment. Some security metrics include: Time to install software patches (if the business units apply their own patches) Lost or stolen mobile computers Rogue wireless access points discovered Delay between employee termination and manager seeking access shutoff 2007 Enterprise Risk Management, Inc. 24
25 Risk Assessment Each Financial Institution shall: Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information systems. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information. Assess the sufficiency of security controls in place to control risks Enterprise Risk Management, Inc. 25
26 Risk Assessment Determines levels of exposure of systems and data to external and internal threats. Identifies, analyzes, and prioritizes risks that could compromise confidentiality, integrity, and availability of critical systems and data. Identifies controls that are available and controls that are missing. Includes a business impact analysis and a gap analysis Enterprise Risk Management, Inc. 26
27 Methodology: Risk Assessment Phase 1: Inventory of information assets Systems and applications Electronic documents Manual documents Phase 2: Classification of information assets Sensitivity of asset Public, confidential or top secret Security component Confidentiality, integrity and availability 2007 Enterprise Risk Management, Inc. 27
28 Methodology: Risk Assessment Phase 3: Threat analysis Probability that the threat will occur Various levels ranging from low to high Impact on institution if threat materializes Low, medium or high Phase 4: Controls/safeguards analysis Existence and degree of security controls currently in place Yes, no or partial Integrates results from vulnerability assessment 2007 Enterprise Risk Management, Inc. 28
29 Gap Analysis: Risk Assessment Comparison between the controls and safeguards identified in the controls that should be in place. Document residual risk and the disposition of the risk. Ensure logical and justifiable reasoning is used to accept risks Enterprise Risk Management, Inc. 29
30 Gap Analysis: Risk Assessment Ensure management formally approves any decision to accept risks. The result of this phase are working plans with security controls implementation priorities Enterprise Risk Management, Inc. 30
31 Risk Assessment Perform risk assessments on a regular basis. As the organization, processes, infrastructure, systems and data change with time, the risk assessment needs to be conducted again to identify new risks. Risk assessment is an on-going process Enterprise Risk Management, Inc. 31
32 Vulnerability Assessment Assess the overall adequacy of existing security controls present in the infrastructure and associated processes under review. The assessment is performed using a snapshot of the security controls currently in place. The assessment focuses on each individual component s security posture. Vulnerability assessment can include: Operating Systems Critical Applications Database Systems Networking Components Interfaces between applications 2007 Enterprise Risk Management, Inc. 32
33 Vulnerability Assessment A vulnerability assessment is NOT exclusively a technical security review. All security controls related to the area under revision should be considered including: Technical Non-Technical 2007 Enterprise Risk Management, Inc. 33
34 Vulnerability Assessment Identifies potential security weaknesses in the infrastructure and associated processes of an organization. Identifies existing security controls and whether they are working as expected. Identifies gaps between existing security configurations, required security standards and industry best practices Enterprise Risk Management, Inc. 34
35 Vulnerability Assessment Can assess the security controls implemented in the organization s infrastructure. Can verify against a standard or best practice. Can provide a benchmark Enterprise Risk Management, Inc. 35
36 Vulnerability Assessment Cannot ensure 100% security. Cannot assess the informal internal processes and procedures (e.g., password sharing). Cannot detect fraud Enterprise Risk Management, Inc. 36
37 Implementation of Security Working Plans: Controls Working plans must be developed prior to the implementation of security controls. Develop strategic and detailed plans addressing the areas where security is required to mitigate the risks found during the risk assessment and vulnerability assessment. Develop detailed plans per area and include specific tasks to be performed, individual responsible and due dates. Perform periodic reviews to identify the progress and issues related to each security plan. Inform executive management and the board of directors on the progress and issues related to the security plans Enterprise Risk Management, Inc. 37
38 Implementation of Security Controls Once the risks are fully identified, the team can select controls (safeguards, standards, rules, etc.) that best protect against the specific risk. Controls will cover automated and manual controls. A repository or database of security controls and their status should be implemented and updated periodically. Implement in a test environment, evaluate and migrate into the production environment Enterprise Risk Management, Inc. 38
39 Board Directors Involvement The board of directors or an appropriate committee of the board of each Financial Institution shall: Approve the bank s written information security program. Oversee the development, implementation, and maintenance of the bank s information security program, including assigning specific responsibility for its implementation and reviewing reports from management (e.g., risk assessment and vulnerability assessment) Enterprise Risk Management, Inc. 39
40 Board Directors Involvement The success of the Information Security Program will depend on the support, direction and management of the board of directors and management. Entities should have an adequate security structure within their board of directors and throughout the organization as a whole Enterprise Risk Management, Inc. 40
41 On-going Process Perform on-going periodic reviews and adjustments of the security program. Perform on-going evaluations of existing security controls. Perform on-going implementations of required controls. Perform on-going updates to the central repository or database of security controls. Maintain the board of directors informed of the activities related to the security initiatives Enterprise Risk Management, Inc. 41
42 Assessments: On-going Process Assessments should be performed at least yearly for critical areas. It is recommended to combine different types of assessments throughout the year. Every time a new application is deployed in production environment, it is a good practice to perform a security assessment Enterprise Risk Management, Inc. 42
43 Enforcement The GLB Act gave the Bank Regulatory Agencies (OCC, FDIC, etc.) enforcement authority. The bank regulators are taking both informal and formal enforcement actions against banks who fail to comply with the GLBA Enterprise Risk Management, Inc. 43
44 Enforcement If regulators find inadequacies in the financial institution s program for securing customer data, the regulators may pursue an informal agreement to remedy the security weaknesses. For example, in a recent examination of an institution, the FDIC required improvements with respect to risk assessment and controls Enterprise Risk Management, Inc. 44
45 Enforcement Formal enforcement actions include written agreements, cease and desist orders and civil money penalties. For example, the FDIC has issued a cease and desist order requiring periodic penetration tests Enterprise Risk Management, Inc. 45
46 Criminal Penalties It is a crime for anyone to knowingly and intentionally obtain or cause the disclosure of customer information through fraudulent means. For smaller offenses, the maximum sentence is 5 years imprisonment and a $250,000 fine for individuals, and a $500,000 fine for corporations. For aggravated offenses, the maximum sentence is 10 years imprisonment and a $500,000 fine for individuals, and a $1,000,000 fine for corporations Enterprise Risk Management, Inc. 46
47 Key Compliance Factors Degree of board involvement. Quality of risk assessment and security control testing. Adequacy of security program in managing and controlling risk. Effectiveness of third party provider oversight measures. Existence and enforcement of change management procedures to accommodate on-going changes to the security program Enterprise Risk Management, Inc. 47
48 How Can ERM and GT Help? Design a comprehensive security program. Perform risk assessments. Perform vulnerability assessments. Implementation of required automated and manual security controls. Assist with security training. Assist with on-going security log monitoring. Periodic on-going review and guidance Enterprise Risk Management, Inc. 48
49 Q&A Enterprise Risk Management, Inc. 49
FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationSubject: Safety and Soundness Standards for Information
OFHEO Director's Advisory Policy Guidance Issuance Date: December 19, 2001 Doc. #: PG-01-002 Subject: Safety and Soundness Standards for Information To: Chief Executive Officers of Fannie Mae and Freddie
More informationInteragency Guidelines Establishing Information Security Standards. Small-Entity Compliance Guide
Interagency Guidelines Establishing Information Security Standards Small-Entity Compliance Guide I. INTRODUCTION Purpose and Scope of the Guide This Small-Entity Compliance Guide (footnote 1) is intended
More informationTOOLBOX. ABA Financial Privacy
ABA Financial Privacy TOOLBOX This tool will help ensure that privacy remains a core value in all corners of your institution. The success of your privacy program depends upon your board s and your management
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More information787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com
Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationby: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy
Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT
More informationPrivacy Policy & Identity Theft Prevention Program
Privacy Policy & Identity Theft Prevention Program Orcam Financial Group LLC PO Box 91098 4640 Cass St San Diego, CA 92109 (858) 220-5383 Orcam Financial Group LLC Privacy Policy February, 2014 Page 1
More informationCollege of DuPage Information Technology. Information Security Plan
College of DuPage Information Technology Information Security Plan April, 2015 TABLE OF CONTENTS Purpose... 3 Information Security Plan (ISP) Coordinator(s)... 4 Identify and assess risks to covered data
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationTABLE OF CONTENTS INTRODUCTION... 1
TABLE OF CONTENTS INTRODUCTION... 1 Overview...1 Coordination with GLBA Section 501(b)...2 Security Objectives...2 Regulatory Guidance, Resources, and Standards...3 SECURITY PROCESS... 4 Overview...4 Governance...5
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationApproved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee
Policy History Date Action Approved by President Mohammed Qayoumi May 27, 2013 April 9, 2013 Reviews: IT Management Advisory Committee Draft Policy Released Table of Contents Introduction and Purpose...
More informationValdosta Technical College. Information Security Plan
Valdosta Technical College Information Security 4.4.2 VTC Information Security Description: The Gramm-Leach-Bliley Act requires financial institutions as defined by the Federal Trade Commision to protect
More informationCal Poly Information Security Program
Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data
More informationProcedure for Managing a Privacy Breach
Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationSECTION-BY-SECTION ANALYSIS
INTRODUCED BY CONGRESSMAN RANDY NEUGEBAUER (R-TX) AND CONGRESSMAN JOHN CARNEY (D-DE) SECTION-BY-SECTION ANALYSIS Section 1: Short Title The Data Security Act of 2015. Section 2: Purposes The purposes of
More informationPurchase College Information Security Program Charter January 2008
January 2008 Introduction When an organization implements an information security program, it raises the question of what is to be written, and how much is sufficient. SUNY Information Security Initiative
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationSafeguarding Customer Information An ABA Toolbox
Safeguarding Customer Information An ABA Toolbox The ABA is proud to offer this toolbox - free to ABA members - to assist bankers in safeguarding their customer information. Financial institutions have
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationInformation Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)
Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act) The GLB Act training packet is part of the Information Security Awareness Training that must be completed by employees. Please visit
More informationBig Data and Cybersecurity: Standards for Safeguarding Personal Information
White Paper Big Data and Cybersecurity: Standards for Safeguarding Personal Information Domestic and multinational companies are increasingly focused on safeguarding personal information due largely to
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationNCUA LETTER TO CREDIT UNIONS
NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA DATE: August 2001 LETTER NO.: 01-CU-11 TO: SUBJ: ENCL: Federally Insured Credit Unions Electronic Data
More informationGramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationCybersecurity Issues for Community Banks
Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street
More informationACE Advantage PRIVACY & NETWORK SECURITY
ACE Advantage PRIVACY & NETWORK SECURITY SUPPLEMENTAL APPLICATION COMPLETE THIS APPLICATION ONLY IF REQUESTING COVERAGE FOR PRIVACY LIABILITY AND/OR NETWORK SECURITY LIABILITY COVERAGE. Please submit with
More informationPrivacy of Consumer Financial Information
Background and Overview Introduction Title V, Subtitle A of the Gramm-Leach-Bliley Act ( GLBA ) 1 governs the treatment of nonpublic personal information about consumers by financial institutions. Section
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationTHE PRIVACY PROVISIONS OF THE GRAMM-LEACH-BLILEY ACT AND THEIR IMPACT ON INSURANCE AGENTS & BROKERS PREPARED BY THE OFFICE OF THE GENERAL COUNSEL
THE PRIVACY PROVISIONS OF THE GRAMM-LEACH-BLILEY ACT AND THEIR IMPACT ON INSURANCE AGENTS & BROKERS This memorandum is not intended to provide specific advice about individual legal, business, or other
More informationEnterprise PrivaProtector 9.0
IRONSHORE INSURANCE COMPANIES 75 Federal St Boston, MA 02110 Toll Free: (877) IRON411 Enterprise PrivaProtector 9.0 Network Security and Privacy Insurance Application THE APPLICANT IS APPLYING FOR A CLAIMS
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationUsing Continuous Monitoring Information Technology to Meet Regulatory Compliance. Presenter: Lily Shue Director, Sunera Consulting, LLC
Using Continuous Monitoring Information Technology to Meet Regulatory Compliance Presenter: Lily Shue Director, Sunera Consulting, LLC Outline Current regulatory requirements in the US Challenges facing
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationDiane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework
More informationLegislative Language
Legislative Language SECTION 1. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY. Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended (a) in section 201(c) by striking
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationIRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA 02110 Toll Free: (877) IRON411
IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA 02110 Toll Free: (877) IRON411 Enterprise PrivaProtector 9.0 Network Security and Privacy Insurance Application THE APPLICANT IS APPLYING
More informationPOSTAL REGULATORY COMMISSION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationLegislative Language
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationTHE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS
THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.
More informationInformation Security: A Perspective for Higher Education
Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationTHE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK
THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK SECURITY AND THEFT OF DATA COVERAGE APPLICATION Name of Insurance Company to which application is made NOTICE: THIS POLICY PROVIDES CLAIMS MADE COVERAGE.
More informationOverview 1. Coordination with GLBA Section 501(b) 1. Security Objectives 2. Regulatory Guidance, Resources, and Standards 2. Overview 3.
Table of Contents Introduction 1 Overview 1 Coordination with GLBA Section 501(b) 1 Security Objectives 2 Regulatory Guidance, Resources, and Standards 2 Security Process 3 Overview 3 Governance 4 Management
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationAttaining HIPAA Compliance with Retina Vulnerability Assessment Technology
l Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology Overview The final privacy rules for securing electronic health care became effective April 14th, 2003. These regulations require
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationHOW TO COMPLY WITH THE NEW INFORMATION SECURITY STANDARDS: A DO IT YOURSELF MANUAL FOR COMMUNITY BANKS AND THRIFTS PREPARED FOR THE CONFERENCE OF STATE BANK EXAMINERS By THE CODA GROUP, INC. BARNETT SIVON
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationPart A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...
Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationHow Much Do I Need To Do to Comply? Vice president SystemExperts Corporation
How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and
More informationINFORMATION SECURITY STRATEGIC PLAN
INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationClient Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
More informationINFORMATION SECURITY PROGRAM
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
More informationTape Vaulting Audit And Encryption Usage Analysis
Tape Vaulting Audit And Encryption Usage Analysis Prepared for Public Presentation (includes SB 1386, Gramm Leach Bliley, and Personal Data Protection and Security Act of 2005 Customer Information Protection
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationPOLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.
POLICIES Campus Data Security Policy Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central Policy Statement Policy In the course of its operations, Minot State University
More informationSpecific observations and recommendations that were discussed with campus management are presented in detail below.
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationAUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM
GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationAPHIS INTERNET USE AND SECURITY POLICY
United States Department of Agriculture Marketing and Regulatory Programs Animal and Plant Health Inspection Service Directive APHIS 3140.3 5/26/2000 APHIS INTERNET USE AND SECURITY POLICY 1. PURPOSE This
More informationSAFE ONLINE BANKING. Online Banking, Data Security You. Your Partnership for Safe Online Banking
SAFE ONLINE BANKING Online Banking, Data Security You & Your Partnership for Safe Online Banking Partnering for Online Security O Online banking has grown rapidly from a niche service to a major new way
More information